// Copyright (c) 2001-2004 Brian Wellington (bwelling@xbill.org)

package org.xbill.DNS;

import java.security.PrivateKey;
import java.util.Date;

/**
 * Creates SIG(0) transaction signatures.
 * 
 * @author Pasi Eronen
 * @author Brian Wellington
 */

public class SIG0 {

	/**
	 * The default validity period for outgoing SIG(0) signed messages. Can be
	 * overriden by the sig0validity option.
	 */
	private static final short VALIDITY = 300;

	private SIG0() {
	}

	/**
	 * Sign a message with SIG(0). The DNS key and private key must refer to the
	 * same underlying cryptographic key.
	 * 
	 * @param message
	 *            The message to be signed
	 * @param key
	 *            The DNSKEY record to use as part of signing
	 * @param privkey
	 *            The PrivateKey to use when signing
	 * @param previous
	 *            If this message is a response, the SIG(0) from the query
	 */
	public static void signMessage(Message message, KEYRecord key,
			PrivateKey privkey, SIGRecord previous)
			throws DNSSEC.DNSSECException {

		int validity = Options.intValue("sig0validity");
		if (validity < 0)
			validity = VALIDITY;

		long now = System.currentTimeMillis();
		Date timeSigned = new Date(now);
		Date timeExpires = new Date(now + validity * 1000);

		SIGRecord sig = DNSSEC.signMessage(message, previous, key, privkey,
				timeSigned, timeExpires);

		message.addRecord(sig, Section.ADDITIONAL);
	}

	/**
	 * Verify a message using SIG(0).
	 * 
	 * @param message
	 *            The message to be signed
	 * @param b
	 *            An array containing the message in unparsed form. This is
	 *            necessary since SIG(0) signs the message in wire format, and
	 *            we can't recreate the exact wire format (with the same name
	 *            compression).
	 * @param key
	 *            The KEY record to verify the signature with.
	 * @param previous
	 *            If this message is a response, the SIG(0) from the query
	 */
	public static void verifyMessage(Message message, byte[] b, KEYRecord key,
			SIGRecord previous) throws DNSSEC.DNSSECException {
		SIGRecord sig = null;
		Record[] additional = message.getSectionArray(Section.ADDITIONAL);
		for (int i = 0; i < additional.length; i++) {
			if (additional[i].getType() != Type.SIG)
				continue;
			if (((SIGRecord) additional[i]).getTypeCovered() != 0)
				continue;
			sig = (SIGRecord) additional[i];
			break;
		}
		DNSSEC.verifyMessage(message, b, sig, previous, key);
	}

}
